The Basics of Good Wordpress Security Controls


Moving beyond the theoretical, we take the concepts presented above and provide a list of actions you can take as a website administer to harden and improve your security posture:

  • Limit access: Reduce the number of people who have administrative access to your WordPress site to a minimum. You should also reduce the number of possible entry points to a minimum. You can do this by only installing web applications that you need and use. Remove any unused plugins and themes. These follows the principle of least privilege and provides administrative and logical controls to help preserve confidentiality, availability and integrity.
  • Functional Isolation: Your system should be configured to minimize the amount of damage that can be done in the event that it is compromised. Where possible, avoid having a large number of diverse web applications on a single hosting account. Logical separation of applications into separate accounts with their own access will confine a compromise to that one account and reduce damage.
  • Backups: Maintain reliable backups. You should occasionally verify the integrity of backups to make sure that you can restore your website if it is damaged. Have a plan to recover your website if it is compromised and document this plan. A good guide can be found WordPress Backups
  • Stay Up-to-Date: Do your best to stay up-to-date with your WordPress installation, including plugins and themes. You should put an administrative control in place that requires a check, with some frequency, that status of your site and it's extensible components.
  • Trusted Sources: Do not get plugins/themes from sources that are not trusted. Googling for a free version of a premium plugin is a recipe for disaster. Malicious people and organizations distribute what is known as 'nulled' plugins and themes which contain malicious code that will extend the premium plugin, but bundle it with malware.
  • Security Updates and News: Security vulnerabilities is something that affects all software, WordPress is no different. To stay current, we recommend subscribing to the vulnerability database maintained by You can also stay ahead of the latest trends following WordPress's own Security tag.
  • 0 Users Found This Useful
Was this answer helpful?

Related Articles


The wp-config.php is a fundamental part of your WordPress installation.  It specifies, most...

How to clean (reinstall) a wordpress site after being hacked

Make a new folder that you will use to store the old site, normally something along the lines...

CloudFlare - What fields do I need to enter in W3TC (W3 Total Cache) settings?

Upon installation of W3 Total Cache, please visit Performance > Extensions and activate...

Using CloudFlare and WordPress: Five Easy First Steps

With tens of millions of sites on the internet using Wordpress, many WordPress sites have decided...

How to force https with WordPress

Unfortunately forcing your WordPress site to use HTTPS is not as simple as updating your...